Audit: Numerous Factors Aided MNsure Data Breach

Updated: 11/08/2013 9:56 AM KSTP.com
By: Scott Theisen/Jay Kolls

Photo: MNsure.org

Leaders of Minnesota's new health insurance exchange could have done more to prevent the disclosure of Social Security numbers belonging to about 1,600 insurance agents, the state legislative auditor reported Thursday.

The auditor examined a September data breach by MNsure, the customer portal for purchasing insurance under the federal health overhaul. The report said the release was an accident and the agency responded properly, but it rejected claims from MNsure's executive director that what happened was only "an HR issue" that was addressed by firing the employee who was directly responsible.

"That version of what happened overlooks a series of significant decisions made not by the employee who inadvertently disclosed private data but by others at MNsure," the report read. In a written response, executive director April Todd-Malmlov took no issue with the report's findings and laid out multiple responses underway to prevent future security mistakes.

On Sept. 12, a MNsure employee e-mailed a document to an insurance agent in Burnsville with the private information attached. The agents were among a larger group seeking certification to use the MNsure website to sell insurance products.

According to the audit, the employee - a broker coordinator who'd worked at MNsure for just one month - immediately realized the mistake and notified both the recipient of the email and MNsure's data privacy officer.

The legislative auditor said there was no evidence that what happened was anything but a mistake. The employee in question was fired from state government.

The audit found that MNsure officials acted quickly to repair the fallout, notifying the agents whose data was disclosed and confirming that the agent who got the email didn't spread it any further. MNsure has also notified those agents that it's paying for a year of identity protection for each of them.

But the audit pointed out that it was MNsure executives who decided to collect Social Security numbers from agents in the first place - only to realize after the security breach that it had never been necessary to do so. The audit also reveals that the agency continued to collect the numbers for several days after Todd-Malmlov told state lawmakers they were stopping.

The report also found the agency should have used more secure methods of collecting private data, assigned more staff to the process of certifying insurance agents, and provided better data privacy training for employees.

In her written response to Legislative Auditor Jim Nobles, Todd-Malmlov detailed steps MNsure has taken in response, including data privacy sessions with staff and a commitment to further such training; workstation reviews to make sure security policies are in practice; and hiring of privacy consultants for its own analysis of factors that led to the security breach.